Curious about this firewall test

Jimbo Kern
Jimbo Kern
in General talk

Here's a link to the site:


http://www.firewallleaktester.com/leaktest13.htm


" Generally, when an application access the Internet, firewall uses Windows API to retrieve the parent PID and name (the executable which launch the trusted application) and when they have it, they freeze it (suspend) and ask you what to do (allow/deny).


To prevent to be seen, Ghost once it has given information to send to the default browser, change of PID by shuting down itself and restarting itself to continue to send data.


Ghost just try to reach one page sending a string to it.


Meaning


If the test is a success, this means that your firewall "parent/child network access monitoring" is checking too late that an executable is launching another one to access the Internet.


If Ghost.exe is seen and apparently freezed but that the first page is reached, this means that your firewall "parent/child network access monitoring" is near to be good, but it's still checking too late.


A page reached = could be in theory the send of your credit card number.


If no information can be sent, and no page are reached at all, and Ghost.exe seen by the firewall, you have a strong "parent/child network access monitoring"."


So my question is should I be concerned about something like this and can I adjust my settings to prevent something like this from getting through? Please shed some light on this type of test for me.


Thanks.

Comments

  • alexcrist
    alexcrist
    edited April 2007

    Hi Jimbo Kern,


    At the first sight, this looks like a very serious thing.


    But I've made some tests and I think that this test is nothing more then a joke. I'm not a BitDefender Official, I didn't make any professional tests, so I might be wrong.


    This is what I discovered:


    Ghost.exe does not send anything anywhere. It does not "launch a child process to send data". It just openes an Internet Explorer page with some parameters and that's who sends the data. Ghost.exe doesn't even use the default Internet Browser (I use Firefox), it always uses IE.


    It has a clever way to send data, cos that page also has a code (not just the string you try to send). If you try to manually change the string, but you don't change that code, you get a warning saying: "Your complete action has been logged, and if further abused it will be reported to the concerned autorities." (a lame try to make you stop testing the page, if you ask me).


    I've made this test: Open BitDefender, go to Firewall and lick on Block all traffic. Then I used Ghost.exe. It opened IE with the page I was suppo9sed to view. Of course, it didn't work, cos the traffic was blocked. (I've sent "test")


    I Opened BitDefender and Un-Blocked the Traffic. Then I pushed Refresh on the page that IE was trying to acces just a few seconds earlier. BANG!! The string I sent with Ghost.exe was there (I've sent "test1"). You might say: "That means that Ghost.exe passed the Block all Traffic option", right? WRONG!


    It seemed very suspicious to me, so I made the following test: I hit Refresh in IE again, and again, and again. Every time I hit that button, the string I sent appeared again and again and again. By the time I stopped, the string was in that list for about 6-7 times (The string was "test1").


    After seeing this, I made the next test:


    I kept IE open showing the previous page, with those parameters.


    I blocked all traffic in BD.


    I used Ghost.exe to send another sting. A new IE window appeared, showing the page with new parameters. (Of course, I got the error that the Page cannot be displaied). (I've sent "test2")


    I Un-Blocked the Traffic from BD and switched to the previous IE test window (the first one, with the "test1" string). I hit Refresh, and the first string (test1) appeared again in the list. But the "test2" string, which I sent just a few seconds before, was NOT IN THE LIST.


    Conclusion: This test is just a joke! As I said, I'm not a professional, so I might be wrong. I advice BD Officials to take a look at this so-called Firewall Leak Test.


    BTW: I enabled BD Privacy Control, added the string "test3" and tried to send that string with Ghost.exe. The page was blocked by BD. So, if you have any doubts about my test results, just add your private data to BD Privacy Control until one of the BD Officials gives us a professional answer about this issue.


    Cris.


    EDIT: Oh, one more thing: if you block IE from BD FIrewall and use only another browser, Ghost.exe does not even work. ;)

  • Jimbo Kern
    Jimbo Kern
    edited April 2007

    Cris,


    Thanks for the response on this. Hopefully someone from Bitdefender can clear this up. After reading your post I ran the same test and got the same results. I saw all your test on there btw.... :P So I have another question, it seems this test resembles some type of phishing. I noticed the site is not secure so if I used privacy control with Bitdefender it wouldn’t work anyway cause it’s an HTTP site not HTTPS, is that correct? Also when using the privacy control do I enter the entire string of data I want protected or just a partial? I am trying to understand exactly how the privacy control works.


    Thanks for the help…

  • alexcrist
    alexcrist
    edited April 2007

    Hi Jimbo Kern,


    You understood wrong how BD Privacy Control works. It scans HTTP and SMTP, and does not scan HTTPS. So, with this page, your private data will be blocked by BD (if enabled). I've tested this.


    It does not matter if you add to BD Privacy Control the full text, or just a part of it (but it is recommended that you type only part of it). BD will block it either way. The important thing you have to know is that in Privacy Control you have to add only one single word per rule. That word must not contain any characters except letters (a-z, A-Z) and/or numbers (0-9).


    Take a look at this page: http://forum.bitdefender.com/index.php?sho...9entry679


    If you have other questions about this, post them and I'll try to answer.


    Cris.

  • Jimbo Kern
    Jimbo Kern
    Hi Jimbo Kern,


    You understood wrong how BD Privacy Control works. It scans HTTP and SMTP, and does not scan HTTPS. So, with this page, your private data will be blocked by BD (if enabled). I've tested this.


    Thanks. I think there was a misunderstanding. What I meant was since HTTPS is supposed to be secure then Bitdefender wouldn’t block lets say entering credit card data with privacy control enabled, but if you try and enter it on an non-secure site such as HTTP or SMTP with the privacy control enabled Bitdefender would block access, is this correct?

  • alexcrist
    alexcrist

    Yes, this is correct.

  • kninejim
    kninejim

    Hi Jimbo Kern


    If you are interested in testing your firewall, you might try Steve Gibson's web page a grc.com. He has a leak tester and the Shields Up page can scan your computer for firewall inbound vulnerabilities. Some of the other leak testers I've seen out there contained viruses or trojans, but as far as I know Gibson's stuff is safe. I've never had any trouble with them. If any others on the forum know any better please let Jimbo know.

  • Niels
    Niels

    Here is another list to test if your firewall works well:


    http://www.hackerwatch.org/probe/


    http://www.pcflank.com/index.htm


    If all ports are stealthed then you are safe. I also don't trust when you have to download a test. Grc.com is a trustfull site.

  • khufu
    khufu

    Leak test results: http://www.matousec.com/projects/windows-p...sts-results.php

All Time Leaders

Categories

Defenders of the month